Importing Domain Controller 2012 Gallery item into Azure pack

Downloading Gallery resource files from Codeplex

Login to your VMM server

Install WebPI: http://www.microsoft.com/web/downloads/platform.aspx

Click the „Options“ and in the custom feed field add http://www.microsoft.com/web/webpi/partners/servicemodels.xml

Click „Add Field“ and close the dialog.

Now go to Service Models, Add Domain Controller – Windows Server 2012 Gallery Resource and then Install.

 

Once downloaded, you should see following files:

 

Preparing VHDX file with syspreped WS2012

I have sysprepred Windows Server 2012 R2 image WS2012_R2_Gen1.vhdx and stored it in my VMM Library VMMUserlibrary

Now we are going to set parameters required for WS2012 Domain controller resource with below powershell script:

$VHDName = „WS2012_R2_Gen1.vhdx“
$FamilyName = „Windows Server 2012 R2 DataCenter“
$Release = „1.0.0.0“
$Tags = „WindowsServer2012“
$AVMAKey = „Y4TGP-NPTV9-HTC2H-7MGQ3-DV4TW“
$MyVHDX = Get-SCVirtualHardDisk | where {$_.Name –eq $VHDName}
$2K12DC = Get-SCOperatingSystem | where { $_.name –eq ’64-bit edition of Windows Server 2012 Datacenter‘}
$oTags = $myVHDX.Tag
if ( $otags -cnotcontains $Tags ) { $otags += @($Tags) }
Set-scvirtualharddisk –virtualharddisk $myVHDX `
–OperatingSystem $2K12DC `
-FamilyName $FamilyName `
-Release $Release `
-Tag $oTags `
-ProductKey $AVMAKey

Here is how it looks like:

Importing Cloud Resource Extension

With following powershell script:

$LibraryShareName = „VMMUserLibrary“
# Specify the path to resextpkg file
$resextpkg = „C:\Gallery Resources\DomainController_WS2012_VMRole_Pkg\DomainControllerWindows2012.resextpkg“
$Library = Get-SCLibraryShare | Where-Object {$_.Name -eq $LibraryShareName}
Import-CloudResourceExtension -ResourceExtensionPath $resextpkg -SharePath $Library -AllowUnencryptedTransfer

 

IMPORTANT: My vhdx file WS2012_R2_Gen1.vhdx is stored in my VMM Library VMMUserlibrary and this library is configured in my VM cloud in VMM.

Windows Azure Pack Service Administrator Portal

  • Open the Admin Portal and navigate to the VM Clouds
  • Click the Gallery tab /Import and select DomainControllerWindows2012.resdefpkg
  • Last step is to make your Gallery item Public and add it to your Hosting Plan.

Now you can start testing 🙂

 

Configuring RD Gateway for Azurepack Console connect with public certificate

The RDS Gateway is crucial component for VM Clouds in Azure pack and gives your tenants option to connect to their VMs console. I found many guides how to configure it either with selfsigned certificate or certificates from internal CA.  For production use,  RDS Gateway needs to be published externally with Trusted certificate. Note that for Azurepack console connect we need second certificate from internal CA. Here is my approach.

Requirements:

  • Internal Windows Certificate authority
  • Dedicated server for RDS gateway (or two for HA)
  • Functional VM Cloud infrastructure (Azurepack, VMM, SPF and Hyper-V hosts)
  • Public certificate from trusted Certificate authority (I will use wildcard certificate from Godaddy)
  • Public DNS and public IP pointing to your RDGW server

 

Design Overview:

 

 

RDS Gateway installation

Run following in powershell:

Install-WindowsFeature -Name RDS-Gateway  -IncludeManagementTools

RD Gateway Console Connect Installation

Insert System Center 2012 R2 VMM installation media into RDGW server and install the RD Gateway Console Connect pluggable, here is the path:

AMD64\Setup\msi\RDGatewayFedAuth\RDGatewayFedAuth.msi

Import Public Certificate into RD Gateway Console

Next open the RDS Gateway console. Right click on the server name and select Properties.

In SSL Certificate, import your Public certificate(in my case wildcard certificate from Godaddy)

Internal Certificate Preparation

An internal certificate is needed to establish trust between VMM, RDS Gateway and Hyper-V hosts.

Create Certificate Template:

  • Open the certificate template console, click Manage find Workstation Authentication template and duplicate it.
  • Rename template to WapConsole. And change validity period to 2 years.
  • On Request Handling tab, select Allow private key to be exported.
  • On Cryptography tab, set the minimum key size to 4096. Next in Providers, you have to choose Microsoft Enhanced RSA and AES Cryptographic Provider.
  • In Security tab, be sure that your servers and you can make enrollment. To make things simple, add the group Domain Computers and grant it Read and Enroll rights.
  • Click on apply and close the certificate template console.

In the Certification Authority console, right click on Certificate TemplatesNew and Certificate Template to Issue. Select the WapConsole template and click OK.

Enroll Internal Certificate

  1. On the VMM Server, open a mmc and add the Local Certificate computer console. Navigate to Personal and right click on Certificates. Select All Tasks and Request New Certificate.
  2. On request certificates screen, select WapConsole template that you have just created and click on Click here to configure settings.
  3. In Subject Name, choose Common Name as type. In value I have specified rdgw.bkgcloud.sk
    In Alternative name, I have added these DNS values: rdsgw01.cloud.local (I have added also rdsgw02.cloud.local as I will install second GW server later)
  4. Click on apply and click on Enroll.

Export Certificate as PFX and CER

Once you enrolled the certificate, we need to Export it as PFX and CER (with and without private key)

Import Certificate to VMM Database and Hyper-V hosts

Run below script on VMM server (make sure all Hyper-V hosts are reachable)

# Path to PFX certificate
$MyPFX = Get-ChildItem „c:\temp\rdgw.bkgcloud.sk.pfx“
# Password of the PFX
$PWD = Read-Host –AsSecureString
# VMM FQDN server name.
$VMM = „vmm01.cloud.local“
## Main Code
Set-SCVMMServer -VMMServer $VMM `
-VMConnectHostIdentificationMode FQDN `
-VMConnectGatewayCertificatePath $MyPFX `
-VMConnectGatewayCertificatePassword $PWD `
-VMConnectHyperVCertificatePath $MyPFX `
-VMConnectHyperVCertificatePassword $PWD `
-VMConnectTimeToLiveInMinutes 1

Get-SCVMHost -VMMServer $VMM | Read-SCVMHost

Import internal certificate to RDS Gateway Server (CER)

Copy the CER certificate to RDS Gateway server and import it.

Add Certificate to Trusted Issuer Certificate

On RDS Gateway server, run following script (update your RDGW server name and CER certificate thumbprint):

$Server = “rdsgw01.cloud.local”
$Thumbprint = “9938B72078CE897466EFDSF69F78239FA5D30C6B3”
$Tsdata = Get-WmiObject –computername $Server –NameSpace “root\TSGatewayFedAuth2” –Class “FedauthSettings”
$TSData.TrustedIssuerCertificates = $Thumbprint
$TSData.Put()

IIS Reset on RD Gateway server

Creating Internal DNS zone for bkgcloud.sk

I had to create internal DNS zone for bkgcloud.sk and add RDGW.bkgcloud.sk record pointing to RDS Gateway internal IP.

Publishing RDGW to the internet

  • Updating public DNS record for RDGW.bkgcloud.sk, pointing to Public VIP assigned on my firewall
  • Creating FW rules, NAT, allowing 443 from internet to my RDS Gateway server

Azure pack integration with RD Gateway

  • Login to Azure pack admin portal, go to VMM properties and add the Remote Desktop Gateway FQDN, in my case rdgw.bkgcloud.sk
  • Update your hosting plans and check the box Connect to the console of virtual machines

Once you finish all above, you can start testing your Console connect 🙂

 

 

Configuring RD Gateway certificate – Exception calling „Put“ with „0“ argument(s): „Invalid parameter “

I’m was trying to configure the TrustedIssuerCertificate on my RD gateway and experiencing following problem:

$Server = “myrdgw.domain.com”
$Thumbprint = “thumbrpint of my certificate”
$Tsdata = Get-WmiObject –computername $Server –NameSpace “root\TSGatewayFedAuth2” –Class “FedauthSettings”
$TSData.TrustedIssuerCertificates = $Thumbprint
$TSData.Put()

It returned an error:

I tried to reinstall VMM Console plugin with no luck. So I opened new power-shell window and typed all commands manually.

Once successful, script will give you following output:

 

 

Google Analytics for WordPress – OAuth issue

Problem: I have activated plugin Google Analytics for WordPress, but I was not able to authenticate towards Google Anatytics and was getting OAuth authentication error. Note that plugin was fully updated as recommended.

Also my Google Analytics Tracking status was stuck saying: Tracking not installed.

Solution: After some troubleshooting I allowed internet access from my WordPress server. (Also make sure your DNS resolving is working fine.)

Removing footer – Powered by TurnKey Linux from WordPress appliance

This blog is running on WordPress Turnkey Linux http://www.turnkeylinux.org/wordpress

and I wanted to get rid of their default footer with Turnkey credits.

I used Putty to log in with my root account and ran following commands in shell:

mv /etc/apache2/mods-enabled/substitute.conf /etc/apache2/mods-enabled/substitute.old

touch /etc/apache2/mods-enabled/substitute.conf

/etc/init.d/apache2 restart

Footer is now gone 🙂

The feature: „Using other editions of SQL Server for report data sources and/or the report server database“ is not supported in this edition of Reporting Services

Problem:

I have experienced following error when installing SQL instances for SCOM reporting:

The feature: „Using other editions of SQL Server for report data sources and/or the report server database“ is not supported in this edition of Reporting Services
Solution:
My reporting server was installed with SQL Server 2012 Evaluation edition (by mistake), where my Datawarehouse was installed with SQL Server 2012 Standard edition. Once I change Reporting to Standard edition, problem disappeared.

The Virtual Machine Manager management server could not copy a required Hyper-V authorization file to hyper-v server

Error:

The Virtual Machine Manager management server could not copy a required Hyper-V authorization file to  hyper-v server.

Solution:

Make sure VMM computer accounts, VMM cluster computer account, VMM admin action account, VMM Admins group, VMM service account are member of local administrators on Hyper-V server.

Azure Pack Subscription failed

Error:

One or more errors occurred while contacting the underlying resource providers. The operation may be partially completed. Details: Failed to create subscription. Reason: Message : The underlying connection was closed: An unexpected error occurred on a send., InnerMessage: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.
Solution:
My SPF server is using public wildcard certificate from Goddady CA. I have imported Intermediate Godaddy certs to all VMM and SPF servers.
Also I have changed IIS website binding on SPF server from spf.mydomain.com to

unassigned.
That solved the above problem.

Free Up Disk Space with Disk Cleanup

I noticed that my laptop’s C: drive was running out of space, so I decided to delete temporary files, old updates and dump files. Probably easiest&fastest way to do so is to use built-in Disk cleanup utility.

Click on Clean System Files and review/mark all the „Files to Delete“ options:

My total amount of disk space gained by cleaning up my disk is 8.62 GB – so not bad 🙂

Note that on Windows Server, Disk Cleanup is part of Desktop Experience. I found it especially useful for cleaning up WinSxS folder.

 

Time server configuration in Hyper-V

I had issues with wrong system time on freshly installed environment syncing from Hyper-V host (getting from server’s BIOS). My domain controller was installed on Hyper-v host as virtual machine.

First I changed the Integration services in Domain Controller Virtual Machine settings and unchecked Time synchronization.

 

 

Then I logged in to Domain Controller and configured master time server as pool.ntp.org

w32tm /config /manualpeerlist:pool.ntp.org /syncfromflags:manual /reliable:yes /update

On second DC, I have disabled Time synchronization in Integration services and ran following command:

w32tm /config /syncfromflags:domhier /update

On all other servers,  I resynced time with following command:

w32tm.exe /resync /rediscover

To check status or time source you can use following:

w32tm /query /status

w32tm /query /source